(Bloomberg) -- An Alabama man was charged over the January hack of the US Securities and Exchange Commission’s X account ahead of its highly anticipated decision to approve spot-Bitcoin exchange traded funds.
Federal Bureau of Investigation agents arrested Eric Council Jr. on Thursday morning and charged the 25-year-old with conspiring to commit aggravated identity theft, according to a statement from the Justice Department.
Council allegedly used the stolen personal information of an unnamed victim as well as an iPhone to break through the X account’s security measures, according to the indictment. The alleged scheme at one point involved Council impersonating an FBI employee who lost his phone, the government says.
The SEC’s account on X, formerly Twitter, was hacked in early January, just a day before it was set to announce approval of the first-ever spot market Bitcoin exchange traded products. The hacker took control of the agency’s official account and posted a message that said the SEC had granted approval to a handful of companies’ applications to trade the products.
The approval of the ETFs, which followed a long legal fight between the SEC and the issuer of one of the funds, was one of the most eagerly anticipated events ever in the digital-asset industry. The green light from the regulator helped push the original cryptocurrency to a record high of $73,797 in March. The funds have seen more than $20 billion of inflows and collectively now hold about $64.5 billion worth of assets, according to data compiled by Bloomberg.
The fake post with the premature approval caused the price of Bitcoin to surge $1,000, the Justice Department said. Once the SEC regained control of its X account and revealed the post was fake, Bitcoin fell by $2,000, according to the statement.
The SEC didn’t immediately respond to a request for comment.
Prosecutors say Council gained access to the SEC account using a so-called SIM swap, which is when hackers fraudulently activate a victim’s phone number on a different device in order to intercept their phone calls and messages. This allows hackers to receive multi-factor authentication codes when trying to reset a victim’s email, social media or cryptocurrency exchange account.
The SEC hack allegedly began on Jan. 9, when co-conspirators using encrypted text messages sent Council the victim’s personal identifying information, as well as a template for the victim’s identification card. Council allegedly used an identity card printer to create a fake ID for the victim, according to the indictment.
With the fake ID in hand, Council allegedly traveled to an AT&T store in Huntsville, Alabama, to get a SIM card linked to the victim’s account. Council then walked to an Apple store to buy a new iPhone for the swap, according to the indictment.
As soon as access to the victim’s phone was granted, the co-conspirators generated access codes to the victim’s social media accounts and shared them with additional co-conspirators, according to the indictment.
The fake post was issued by one of the unnamed co-conspirators, according to the indictment. Once that was done, Council allegedly drove to a service provider’s store in Birmingham, Alabama, to return the iPhone for cash.
The case is US v. Council, US District Court, District of Columbia (Washington).
--With assistance from Nicola M. White and Margi Murphy.
(Updates with detail on the alleged hacking scheme.)
©2024 Bloomberg L.P.